Description

In JBoss AS 7.1.1, if a user provided ServerAuthModule provides a GroupPrincipalCallback, then this is ignored by WebJASPIAuthenticator. The provided handler copies the GroupPrincipalCallback, but the authenticator then does nothing with it. Simulteanously, if the ServerAuthModule does not provide a PasswordValidationCallback to the handler, then this will result in a null pointer exception in the authenticator.

Regarding the ignored GroupPrincipalCallback, the problem seems to be in the following code:

The register() method considers both username and password as optional, but because there's no null check on pvc, the above line will throw a NPE in case no PasswordValidationCallback is provided. This could perhaps be changed into something like the following: